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Abstract 

A  policy  describes  the  conditions  under  which  an  ac¬ 
tion  is  permitted  or  forbidden.  We  show  that  a  fragment 
of  (multi-sorted)  first-order  logic  can  be  used  to  represent 
and  reason  about  policies.  Because  we  use  first-order  logic, 
policies  have  a  clear  syntax  and  semantics.  We  show  that 
further  restricting  the  fragment  results  in  a  language  that  is 
still  quite  expressive  yet  is  also  tractable.  More  precisely, 
questions  about  entailment,  such  as  'May  Alice  access  the 
file?’,  can  be  answered  in  time  that  is  a  low-order  polyno¬ 
mial  (indeed,  almost  linear  in  some  cases),  as  can  questions 
about  the  consistency  of  policy  sets.  We  also  give  a  brief 
overview  of  a  prototype  that  we  have  built  whose  reasoning 
engine  is  based  on  the  logic  and  whose  interface  is  designed 
for  non-logicians,  allowing  them  to  enter  both  policies  and 
background  information,  such  as  'Alice  is  a  student’,  and  to 
ask  questions  about  the  policies. 


1  Introduction 

A  policy  describes  the  conditions  under  which  an  action, 
such  as  reading  a  file,  is  permitted  or  forbidden.  Digital 
content  providers  have  a  rough  idea  of  what  their  policies 
should  be.  Unfortunately,  policies  are  typically  described 
informally.  As  a  result,  their  meaning  and  consequences 
are  not  always  clear. 

To  better  understand  the  problem,  consider  the  statement 
‘only  librarians  may  edit  the  on-line  catalog’ .  We  can  view 
this  statement  as  a  policy,  because  it  governs  who  may  edit 
the  catalog,  based  on  whether  or  not  the  editor  is  a  librar¬ 
ian.  It  is  not  clear  if  this  policy  permits  librarians  to  make 
changes  to  the  catalog  or  only  forbids  anyone  who  is  not 
a  librarian  from  doing  so.  The  policy  could  be  rewritten 
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to  remove  this  particular  ambiguity,  but  others  are  likely  to 
exist  if  policies  are  written  in  a  natural  language.  Policy 
languages  such  as  the  Extensible  rights  Markup  Language 
(XrML)  [10]  and  Open  Digital  Rights  Language  (ODRL) 
[21]  have  the  potential  to  be  more  formal  (partly  because 
their  syntax  is  more  restricted).  Currently,  however,  the 
only  semantics  for  these  languages  seems  to  be  an  English 
description  of  what  the  syntax  means;  thus,  they  also  suf¬ 
fer  from  significant  ambiguity.  Our  goal  in  this  paper  is  to 
provide  a  logic  with  a  clear  syntax  and  semantics  that  can 
be  used  to  represent  and  reason  about  policies.  In  addition, 
we  want  the  logic  to  be  well-suited  to  the  needs  of  digital 
content  providers.  To  achieve  our  objectives,  we  use  a  frag¬ 
ment  of  first-order  logic.  This  automatically  gives  us  a  clear 
syntax  and  semantics;  thus,  it  remains  to  argue  that  the  logic 
is  well-suited  to  the  needs  of  digital  content  providers. 

To  be  of  practical  use,  a  logic  must  satisfy  (at  least)  the 
following  three  desiderata. 

1.  It  must  be  expressive  enough  to  capture  in  an  easy  and 
natural  way  the  policies  that  people  want  to  discuss. 

2.  It  must  be  tractable  enough  to  allow  interesting  queries 
about  policies  to  be  answered  efficiently. 

3.  It  must  be  usable  by  non-logicians,  because  we  cannot 
expect  policy  makers  and  administrators  to  be  well- 
versed  in  logic. 

Of  course,  whether  a  logic  is  sufficiently  expressive  to 
meet  our  first  objective  depends  very  much  on  the  applica¬ 
tion.  To  evaluate  our  approach,  we  gathered  a  large  col¬ 
lection  of  policies  from  various  libraries,  including  on-line 
collections,  local  and  university  libraries,  the  Library  of 
Congress,  and  Cornell’s  Digital  Library  Research  Group. 
We  have  written  these  policies  in  our  language.  In  addition, 
we  have  begun  to  encode  government  policies  in  our  lan¬ 
guage,  including  those  that  determine  a  person’s  eligibility 
for  Social  Security.  Finally,  we  have  created  a  translation 
from  most  of  the  XrML  Core  and  all  of  the  XrML  Content 
Extension  to  our  language.  Details  of  the  translation  and  a 


more  complete  discussion  of  the  collected  policies  are  given 
in  a  companion  paper  [19]. 

For  the  second  desideratum,  we  focus  on  two  key 
queries: 

•  Given  a  set  of  policies  and  an  environment  that  pro¬ 
vides  all  relevant  facts  (e.g.,  ‘Alice  is  a  librarian’, 
‘Anyone  who  is  a  librarian  for  less  than  a  year  is  a 
novice’,  etc.),  does  it  follow  that  a  particular  action, 
such  as  Alice  editing  the  on-line  catalog,  is  permitted 
or  forbidden? 

•  Is  a  set  of  policies  consistent?  In  other  words,  are  there 
no  actions  that  are  both  permitted  and  forbidden  by  the 
policies  in  the  set?  This  question  is  particularly  in¬ 
teresting  for  collaboration.  For  example,  suppose  that 
Alice  is  writing  the  policies  for  her  university’s  new 
outreach  program.  If  the  union  of  her  policies  and  the 
university  policies  is  consistent,  then  she  knows  that 
her  policies  do  not  contradict  those  of  the  university. 

The  answers  to  these  questions  could  be  used  by  enforce¬ 
ment  mechanisms  and  individuals  who  want  to  do  regulated 
activities.  More  importantly,  we  believe  that  the  answers 
provide  a  reasonably  good  understanding  of  the  policies,  in¬ 
creasing  our  confidence  that  the  formal  statements  capture 
the  informal  rules  and  the  informal  rules  capture  the  policy 
creator’s  intent. 

To  address  our  third  goal,  the  usability  requirement,  we 
developed,  and  are  currently  refining  and  extending,  a  pro¬ 
totype  that  allows  users  to  enter  policies,  as  well  as  facts 
about  their  environment,  and  to  ask  questions  about  them. 
This  software  will  be  tested  by  University  of  Virginia  li¬ 
brarians  as  part  of  the  Mellon-Fedora  project  [32]  to  verify 
that  the  language  can  be  used  by  people  who  have  not  been 
trained  in  logic. 

There  have  been  a  number  of  attempts  to  give  formal  se¬ 
mantics  to  policies,  some  of  which  involve  first-order  logic. 
Most  of  the  first-order  approaches  are  based  on  some  variant 
of  Datalog  [16].  By  beginning  with  Datalog,  these  solutions 
start  with  a  language  that  is  tractable,  but  not  sufficiently 
expressive.  They  then  extend  the  language  to  better  meet 
the  needs  of  applications.  In  particular,  they  find  extensions 
that  permit  a  limited  use  of  negation  and  functions.  The  re¬ 
strictions  that  we  make  are  quite  different  from  those  made 
previously.  We  believe  (and  will  argue  throughout  this  pa¬ 
per)  that  the  resulting  language  is  especially  well-suited  for 
many  applications,  and  has  a  number  of  advantages  over 
variants  of  Datalog. 

The  rest  of  this  paper  is  organized  as  follows.  In  the 
next  section,  we  formally  define  our  notions  of  a  policy  and 
an  environment.  We  also  give  examples  that  illustrate  how 
policies  can  be  represented  in  an  appropriate  fragment  of 
first-order  logic.  In  Section  3  we  show  that,  in  general,  the 
questions  we  want  to  ask  about  policies  are  hard  to  answer. 


In  Section  4  we  present  some  restrictions  under  which  these 
questions  are  tractable.  We  give  a  brief  overview  of  the  pro¬ 
totype  that  we  are  building  in  Section  5.  We  discuss  the 
Datalog  approaches,  as  well  as  other  related  work,  in  Sec¬ 
tion  6.  The  paper  concludes  in  Section  7  with  plans  for 
future  research.  Detailed  proofs  are  left  to  the  full  paper. 

2  A  First-Order  Logic  for  Reasoning  About 
Policies 

For  the  rest  of  the  paper,  we  assume  knowledge  of  many- 
sorted  first-order  logic  at  the  level  of  Enderton  [14],  More 
specifically,  we  assume  the  reader  is  familiar  with  the  syn¬ 
tax  of  first-order  logic,  including  constants,  variables,  pred¬ 
icate  symbols,  function  symbols,  and  quantification,  with 
the  semantics  of  first-order  logic,  including  relational  mod¬ 
els  and  valuations,  and  with  the  notions  of  satisfiability  and 
validity  of  first-order  formulas. 

We  use  many-sorted  first-order  logic  with  equality  over 
some  vocabulary  $  to  express  and  reason  about  policies. 
Let  CJ°  ( <I> )  denote  the  set  of  first-order  formulas  over  the 
vocabulary  <1>.  For  this  paper,  we  assume  that  there  are  at 
least  three  sorts.  Actions  (e.g.,  accessing  a  file).  Subjects 
(the  agents  that  perform  actions;  these  are  sometimes  called 
principals  in  the  literature),  and  Times.  While  these  sorts 
seem  natural  for  any  policy  logic,  other  sorts  may  be  desired 
for  particular  applications.  These  sorts,  including  objects 
and  roles,  may  be  added  to  the  logic  without  affecting  our 
results. 

The  vocabulary  <I>  is  application  dependent;  however,  we 
assume  that  <I>  contains  a  binary  predicate  Permitted  on 
Subjects  x  Actions  and  a  constant  now  of  sort  Times. 
Permitted(f,  t.')  means  that  subject  t  is  allowed  to  perform 
action  t! .  In  practice,  it  may  be  useful  to  add  additional  ar¬ 
guments  to  Permitted,  such  as  when  the  action  is  permitted 
and  who  is  authorizing  the  granting  or  revoking  of  the  per¬ 
mission.  We  have  not  included  these  here  to  simplify  the 
exposition;  including  them  would  not  change  our  results. 
The  constant  now  denotes  the  current  time.  In  practice,  a 
global  clock  would  determine  the  interpretation  of  now. 

A  policy  is  a  closed  first-order  formula  of  the  form 

Mx\  . .  .\/xm(f  =>  (-i)Permitted(f,  t')), 

where  /  is  any  first-order  formula,  t  and  t!  are  terms 
of  sort  Subject  and  Action  respectively,  and  the  notation 
(A) Permitted  indicates  that  the  Permitted  predicate  may 
or  may  not  be  negated.  Defining  the  policy  in  this  way  pro¬ 
vides  a  structure  that  matches  our  intuition,  namely,  that  a 
policy  is  a  set  of  conditions  under  which  an  action  is  or  is 
not  permitted. 

To  illustrate  how  policies  can  be  expressed  in  first-order 
logic,  consider  the  following  examples. 


Example  2.1:  The  policy  ‘only  librarians  may  edit  the  cat¬ 
alog’  can  be  characterized  by  the  following  two  policies 

Yj;(-  'Librarian (j;)  — -  Permitted!;/;,  edit  the  catalog)) 
Va:  (Librarian  (a;)  =>  Permitted)®,  edit  the  catalog)). 

(Depending  on  the  intended  meaning  of  the  English  state¬ 
ment,  the  first  formula  by  itself  may  characterize  the  pol¬ 
icy.)  | 

Example  2.2:  The  policy  ‘a  customer  may  download  any 
article  if  she  has  paid  a  fee  within  the  past  six  weeks’  can 
be  rewritten  as  ‘if  an  individual  i  has  paid  the  fee  within  the 
past  six  weeks,  i  is  a  customer,  and  a  is  some  article,  then  i 
may  download  a  .  The  policy  can  be  encoded  readily  in  the 
logic  as 

V)V)Va((PaidFee(),t)  A  (now  —  6  <  )  <  now)A 

Customer  (A  now)  A  Article  (a))  =A 

Permitted)),  download(a))). 

I 

Example  2.3:  The  policy  set  ‘anyone  may  sing’  and  ‘any¬ 
one  who  is  allowed  to  sing  may  dance’  can  be  characterized 
by  the  following  two  formulas: 

Va" (Permitted (x,  sing)) 

Mx (Permitted (arsing)  =>  Permitted (x, dance)). 

I 

To  determine  the  consequences  of  a  policy,  we  need  to 
know  what  facts  are  true  in  the  context  in  which  the  policies 
are  applied.  For  example,  to  decide  if  the  policies  in  Ex¬ 
ample  2.1  permit  Alice  to  edit  the  catalog,  we  must  know 
if  Alice  is  a  librarian.  In  other  words,  we  must  know  if  the 
statement  Librarian) Alice)  is  true.  This  fact,  along  with 
all  the  others  that  are  needed  to  analyze  a  set  of  policies, 
are  contained  in  the  environment.  The  environment  may  in¬ 
clude  very  simple  statements  such  as  ‘The  Cat  in  the  Hat 
is  a  children’s  book’  or  ‘Sally  has  a  junior  library  card’. 
More  complex  statements  may  also  be  included,  such  as  the 
conditions  under  which  a  customer  is  considered  to  be  in 
good  standing  and  ‘at  all  times,  there  is  a  senior  staff  mem¬ 
ber  who  is  on  call’.  All  the  examples  we  have  considered 
so  far  confirm  our  belief  that  first-order  logic  is  sufficiently 
expressive  to  capture  most  environments  that  are  likely  to 
arise  in  practice.  Thus,  we  formally  define  an  environment 
to  be  a  closed  first-order  formula  that  does  not  contain  the 
Permitted  predicate.  The  requirement  that  the  environment 
not  contain  Permitted  encourages  the  intuitive  separation 
between  the  environment,  which  is  a  description  of  reality, 
and  the  policies,  which  are  the  rules  governing  that  reality. 

The  two  types  of  queries  discussed  in  the  introduction 
can  now  be  formalized.  The  first  query,  is  an  individual 


t  permitted  to  perform  an  action  )'  (where  )  and  )'  are 
closed  terms)  given  an  environment  E  and  some  policies 
Pi, ,  pn,  amounts  to  asking  if  the  formula  E  A  p\  A  . . .  A 
pn  =A  Permitted!/,  1')  is  valid.  (Similarly,  )  is  forbidden  to 
do  )'  if  and  only  if  E  A  p\  A  . . .  A  pn  =A  ^Permitted)),  )') 
is  valid.)  The  second  query,  ‘Are  the  policies  consistent?’, 
asks  if  the  formula  E  Api  A  . . .  f\pn  is  satisfiable.  For  ease 
of  exposition,  we  focus  on  determining  if  an  action  is  per¬ 
mitted  (or  forbidden).  As  we  show,  it  is  easy  to  modify  our 
techniques  to  handle  the  consistency  question. 

3  Intractability  Results 

In  general,  the  queries  in  which  we  are  interested  cannot 
be  answered  efficiently.  Indeed,  the  problem  in  its  full  gen¬ 
erality  is  easily  seen  to  be  undecidable  if  the  vocabulary  $ 
has  at  least  one  binary  predicate  other  than  Permitted  (and 
closed  terms  t  and  )'  of  sort  Subjects  and  Actions,  respec¬ 
tively,  so  that  it  is  possible  to  actually  form  queries).  To 
see  this,  let  /  be  an  arbitrary  formula  that  does  not  contain 
Permitted.  Consider  the  policy  /  =>  Permitted  ),  and 
let  the  environment  be  empty  (i.e.,  true).  Standard  manipu¬ 
lations  show  that 

(/  =>  Permitted!  /, )'))  =>  Permitted!  /,  )') 

is  equivalent  to 

/  V  Permitted)),)'). 

Since  /  does  not  mention  Permitted,  the  last  formula  is 
valid  iff  /  is  valid.  The  validity  problem  for  first-order  for¬ 
mulas  is  well-known  to  be  undecidable,  even  if  we  restrict 
to  formulas  that  contain  a  single  binary  predicate;  indeed, 
undecidability  holds  even  if  we  further  restrict  to  formulas 
of  the  form  3x3y\/zf,  where  /'  is  quantifier-free  [7].  This 
means  that  we  cannot  determine  if  a  single  policy  implies  a 
permission  when  the  conditions  under  which  the  policy  ap¬ 
plies  must  be  written  in  first-order  logic  as  a  formula  of  the 
form  3x3y\/zf  where  /'  has  a  binary  predicate  other  than 
Permitted. 

We  can  get  the  same  result  even  without  assuming  that  $ 
has  a  binary  predicate  other  than  Permitted.  This  is  sum¬ 
marized  in  the  following  theorem. 

Theorem  3.1:  Let  Co  be  the  set  of  closed  function- 
free  formulas  of  the  form  (/  Permitted(c ,  c'))  =A 

Permitted(c,  c'),  where  c  and  c’  are  constants  of  the  appro¬ 
priate  sorts,  3x3y\/zf ,  and  /'  is  a  quantifier-free  formula 
whose  only  nonlogical  symbol  is  Permitted.  The  validity 
question  for  Cq  is  undecidable. 

It  follows  from  Theorem  3.1  that  we  cannot  determine  if 
a  set  of  policies  imply  a  permission  in  an  environment  when 


the  environment  is  empty,  the  policy  set  has  only  one  pol¬ 
icy,  and  that  policy  has  a  single  alternation  of  quantifiers  and 
no  function  symbols.  Not  surprisingly,  similar  undecidabil¬ 
ity  results  hold  if  we  allow  formulas  in  the  environment  to 
involve  nontrivial  quantification  (provided  that  there  is  a  bi¬ 
nary  predicate  in  the  language  other  than  Permitted,  since 
we  do  not  allow  Permitted  in  the  environment).  Given  The¬ 
orem  3.1,  it  seems  that  our  only  hope  is  to  forbid  any  alter¬ 
nation  of  quantifiers. 

How  much  quantification  do  we  really  need?  A 
quantifier-free  environment  suffices  to  capture  simple 
databases.  However,  we  want  to  allow  at  least  universal 
formulas  in  the  environment  so  that  we  can  state  general 
properties,  such  as  ‘all  freshman  are  students’.  Universal 
quantification  is  even  more  critical  in  policies.  If  we  do  not 
allow  a  policy  to  have  any  quantification  (i.e.,  define  a  pol¬ 
icy  to  have  the  form  /  =>  Permitted (7.  /' )  where  t  and  t' 
are  closed  terms  and  /  is  quantifier-free),  then  each  policy 
must  govern  a  specific  individual  and  action.  For  example, 
we  can  say  ‘If  Alice  is  good,  she  may  play  outside’,  but  we 
cannot  say  ‘All  good  children  may  play  outside’.  Because 
policies  typically  permit  an  individual  to  do  an  action  based 
on  the  attributes  of  that  individual  and  action,  we  must  allow 
policies  to  be  universally  quantified. 

Policies  with  universal  quantification  (and  a  quantifier- 
free  antecedent)  are  sufficiently  expressive  to  capture  the 
policies  that  we  have  collected  from  libraries  and  govern¬ 
ment  databases.  Although  some  of  the  collected  policies 
appear  to  need  existential  quantification,  they  can  be  con¬ 
verted  to  formulas  with  universal  quantification. 

Example  3.2:  Consider  the  policy  ‘anyone  who  is  accom¬ 
panied  by  a  librarian  may  enter  the  stacks’.  A  natural  way 
to  state  this  in  first-order  logic  is 

V.r  i  [3x2  (Librarian  (^2)  A  Accompanies  (X2 ,  it))  => 

Permitted  (x  1 ,  enter(stacks))). 

This  formula  is  logically  equivalent  to 

Va:iVa:2 ( (Librarian (s2)  A  Accompanies^, .iq))  => 

Permitted  (x  1 ,  enter(stacks))), 

which  uses  only  universal  quantification.  | 

Note  that  enter  is  a  function  in  Example  3.2.  Unfortu¬ 
nately,  it  is  well  known  that  the  validity  problem  for  ex¬ 
istential  formulas  with  functions  is  undecidable  [7].  The 
following  result  is  almost  immediate: 

Theorem  3.3:  Let  £\  be  the  set  of  closed  formulas  of  the 
form  Mx\  . . .  xm(f  =7  Permitted (t,  t'))  =>  Permitted[t,  t'), 
where  t,  and  t'  are  terms  of  the  appropriate  sort,  and  f  is  a 
quantifier-free  formula  (possibly  containing  function  sym¬ 
bols).  The  validity  problem  for  £\  is  undecidable. 


Theorem  3.3  suggests  that  even  if  we  drastically  reduce 
quantification,  we  still  need  to  disallow  functions  to  get  de¬ 
cidability.  Once  we  restrict  quantification  to  a  bare  mini¬ 
mum  and  remove  functions  entirely,  then  we  do  get  a  de¬ 
cidable  fragment,  but  it’s  not  tractable.  Recall  that  \\f  is 
the  second  level  of  the  polynomial  hierarchy,  and  represents 
languages  that  can  be  decided  in  co-NP  with  an  NP  oracle. 

Theorem  3.4:  Let  $  be  a  vocabulary  that  contains 
Permitted,  constants  c  and  c  of  sorts  Subjects  and 
Actions,  respectively,  and  possibly  other  predicate  and 
constant  symbols.  Assume  there  is  a  bound  on  the  arity 
of  the  predicate  symbols  in  $  ( that  is,  there  exists  some 
N  such  that  all  predicate  symbols  in  $  have  arity  at  most 
N ).  Finally,  let  £2  be  the  set  of  all  closed  formulas  in 
CJ°  ($)  of  the  form  E  A  pi  A  . . .  A  pn  =7  Permitted(c ,  c') 
such  that  E  is  a  conjunction  of  quantifier-free  and  uni¬ 
versal  formulas  and  each  policy  p\,. ...  pn  has  the  form 
V.x'i  . . .  V.x.m (/  =>  Permitted (t  1,(2))  where  ti  and  f2  are 
terms  of  the  appropriate  sort  and  f  is  quantifier-free. 

(a)  The  validity  problem  for  £2  is  in  n,f '. 

(b)  If  £3  is  the  set  of  formulas  in  £2  in  which  every  policy’s 
antecedent  is  a  conjunction  of  literals,  then  the  validity 
problem  for  £3  is  ilf  hard. 

(c)  If  £4  is  the  set  of  £2  formulas  in  which  E  is  quantifier- 
free,  then  the  validity  problem  for  £4  is  NP-hard. 

We  remark  that  if  we  do  not  require  the  arity  of  the  pred¬ 
icate  symbols  in  $  to  be  bounded,  then  we  must  replace  Ilf 
by  co-NEXPTIME  (co-nondeterministic  exponential  time) 
in  parts  (a)  and  (b)  [7]. 

Theorems  3.1,  3.3,  and  3.4  seem  to  suggest  that  the  ques¬ 
tions  we  are  interested  in  are  hopelessly  intractable.  Fortu¬ 
nately,  things  are  not  nearly  as  bad  as  they  seem. 

4  Identifying  Tractable  Sublanguages 

The  work  on  Datalog  and  its  variants  mentioned  in  the 
introduction  demonstrates  that  there  are  useful,  tractable 
fragments  of  first-order  logic.  In  this  section  we  identify  a 
different  set  of  restrictions  than  those  considered  by  the  Dat¬ 
alog  community,  show  that  they  lead  to  tractability,  and  ar¬ 
gue  that  they  are  particularly  well-suited  to  reasoning  about 
policies. 

4.1  Analyzing  a  restricted  set  of  policies 

Define  a  standard  policy  to  be  a  policy  of  the  form 
Vaq  . . .  V.r„  ( (f  1  A , .  .A  Ik)  =>  (-’)Permitted((i,f2))  where 
7 1 , . . . .  (7.  are  literals  and  both  t\  and  f2  are  terms  of  the 
appropriate  sort.  A  basic  environment  is  an  environment 


that  is  a  conjunction  of  ground  literals.  Basic  environments 
are  sufficiently  expressive  to  capture  the  information  in 
databases  and  certificates.  While  this  is  adequate  for  many 
applications,  basic  environments  cannot  represent  general 
properties,  such  as  ‘all  freshmen  are  students’.  To  handle 
these,  we  define  a  standard  environment  to  be  an  environ¬ 
ment  that  is  a  conjunction  of  quantifier-free  formulas  and 
universal  formulas  of  the  form  Vxi  . . .  \/xn  (£ i  A  . . .  A  £ k  =)> 
lk+i),  where  £%, . . .  ,£k+i  are  literals.  As  argued  in  Sec¬ 
tion  3,  standard  policies  seem  sufficiently  expressive  to  cap¬ 
ture  most  (if  not  all)  policies  of  interest.  Basic  environments 
suffice  for  many  applications  of  interest;  standard  environ¬ 
ments  suffice  for  all  the  applications  we  have  considered. 

As  a  first  step  towards  tractability,  we  consider  only  ba¬ 
sic  environments  and  make  what  may  seem  to  be  rather  ar¬ 
bitrary  restrictions  on  policies.  (Later  in  this  section  we 
justify  the  restrictions  and  discuss  standard  environments.) 
One  of  the  restrictions  relies  on  a  notion  called  bipolarity, 
which  in  turn  relies  on  a  well-known  technique  from  theo¬ 
rem  proving  called  unification  [30], 

Two  literals  l  and  l'  are  unifiable  if  there  are  variable 
substitutions  o  and  o'  such  that  lo  =  i’o'.  For  ex¬ 
ample,  P(x,ci)  and  P(c2,y)  are  unifiable  by  substitut¬ 
ing  C2  for  x  and  C2  for  y,  while  P(x,c\ )  and  P(y,  C2) 
are  not  unifiable  (assuming  that  c\  and  C2  are  distinct 
constants).  A  literal  l  is  bipolar  in  formula  /,  written 
in  CNF1,  if  t  is  in  /  and  there  is  another  literal  l’  in 
/  such  that  l  and  -1  £'  are  unifiable.  The  pair  £,  £'  is 
called  a  bipolar  pair.  For  example.  Permitted  (2:,  nap)  and 
Permitted  (Advisor  (:r),  nap)  are  the  only  bipolar  literals  in 
the  formula  Vx(  Permitted  (x,  play)  A  Permitted  (x,  nap)  => 
Permitted  (Advisor  (;r),  nap)). 

Theorem  4.1:  Let  $  be  a  vocabulary  that  contains 
Permitted  (and  possibly  other  predicate,  constant,  and  func¬ 
tion  symbols).  Let  £5  consist  of  all  closed  formulas  in 
£jFo(<b)  of  the  form  E  A  P  =>  Permittedit,  t'),  where  P 
is  a  conjunction  of  standard  policies  and  both  t  and  t!  are 
closed  terms  of  the  appropriate  sort,  such  that 

(a)  E  is  a  basic  environment, 

(b)  equality  is  not  used  in  E  or  P, 

(c)  if  a  variable  appears  in  a  policy  p  in  P,  then  it  appears 
as  an  argument  to  Permitted  in  p,  and 

(d)  there  are  no  bipolars  in  P. 

We  can  determine  the  validity  of  formulas  in  £5  in  time 
0((|jB|  +  \P\)  log  \E\),  where  |<p|  denotes  the  length  of  <p, 
when  viewed  as  a  string  of  symbols. 

'We  say  that  a  first-order  formula  is  in  CNF  if  it  has  the  form 
Q  1x1 .  . .  Q !.:■>' i  A  ...  A  ifin),  where  each  p,  is  a  (quantifier-free)  dis¬ 
junction  of  literals  and  Qj  6  (V,  3}  for  i  =  1 .....  rt  and  y  =  1 .....  A' . 
Each  Pi  is  called  a  clause.  We  sometimes  identify  a  universal  formula  in 
CNF  with  its  set  of  clauses. 


Note  that  the  language  £5  includes  formulas  such  as 

Student(Alice)  A  Good(Alice)A 

V.r  (Student)./;)  =>  Permitted (x,  work)) A 

V;r  (Student)./;)  A  Good)*)  =>  Permitted)*,  play)). 

(‘Alice  is  a  student,  Alice  is  good,  all  students  may  work  and 
all  good  students  may  play’).  Unlike  Theorem  3.4(c),  func¬ 
tion  symbols  are  allowed  in  Theorem  4.1.  Moreover,  there 
is  no  assumption  that  the  arity  of  predicates  and  functions 
in  is  bounded.  The  price  we  pay  for  this  added  general¬ 
ity  and  for  cutting  the  complexity  to  linear  in  the  number 
of  policies  (which  could  well  be  large)  and  not  much  more 
than  linear  in  the  size  of  the  database  (which  we  expect  to 
be  relatively  small,  particularly  in  certificate-passing  sys¬ 
tems)  is  the  four  restrictions.  Before  describing  the  proof 
of  Theorem  4.1,  we  argue  that  the  restrictions  are  often  met 
in  practice  and  show  how  the  restrictions  can  be  relaxed  so 
that  the  result  is  even  more  applicable. 

As  we  have  already  said,  basic  environments  are  suffi¬ 
ciently  expressive  to  capture  the  facts  stored  in  databases 
and  certificates.  This  is  not  always  enough.  For  example, 
the  documents  that  describe  who  may  collect  Social  Secu¬ 
rity  define  an  aged  person  to  be  anyone  65  years  old  or  older, 
who  is  a  resident  of  the  U.S.,  and  is  either  a  citizen  or  an 
alien  residing  in  the  U.S.  both  legally  and  permanently.  A 
basic  environment  cannot  capture  what  it  means  to  be  aged, 
according  to  Social  Security  policies.  Nevertheless,  basic 
environments  seem  perfectly  adequate  for  certificate-based 
permissions  in  the  spirit  of  SPKI/SDSI  [12,  13]  and  for  li¬ 
censes  as  described  by  XrML  [10],  which  assumes  a  min¬ 
imal  environment  containing  facts  such  as  the  current  time 
and  the  time  of  the  most  recent  revocation  polling. 

The  second  restriction,  that  equality  is  not  used,  is  a  seri¬ 
ous  restriction.  Without  equality,  we  cannot  express  thresh¬ 
old  policies  (‘if  at  least  three  different  people  vouch  for  Al¬ 
ice,  then  she  can  enter  the  club’)  nor  can  we  express  the 
identity  of  two  individuals  (‘Miss  Alice  Smith  =  Mrs.  Alice 
Jones’).  Nevertheless,  there  are  large  classes  of  policies  that 
do  not  require  equality  at  all.  (This  includes  the  policies  in 
the  Social  Security  database  and  the  library  policies  that  we 
have  considered.) 

The  third  restriction,  that  every  variable  appearing  in  a 
policy  p  also  appears  as  an  argument  to  Permitted  in  p,  is 
met  if  an  individual  is  granted  or  denied  permission  based 
solely  on  her  attributes  and  the  attributes  of  the  regulated 
action.  Notice  that  the  policies  in  Examples  2.1  and  2.3 
have  this  form,  but  the  policies  in  Examples  2.2  and  3.2  do 
not.  In  particular,  whether  the  policy  in  Example  3.2  allows 
x\  to  enter  the  stacks  depends  on  an  attribute  of  some  other 
person  ;/;2 .  As  we  shall  see,  we  can  allow  variables  to  appear 
in  policies  without  appearing  as  arguments  to  Permitted,  as 
long  as  the  number  of  such  variables  in  any  one  policy  is 
small. 


The  last  restriction,  that  there  are  no  bipolar  literals  in 
pi  A  ...  A  pa ,  is  likely  to  be  met  if  all  the  policies  are 
permitting  policies  (that  is,  their  conclusions  have  the  form 
Permitted(fi,  (2))  or  all  are  denying  policies  (that  is,  their 
conclusions  have  the  form  ^ Permitted (ii , (2)),  and  poli¬ 
cies  do  not  have  Permitted  in  their  antecedents.  To  see  why, 
recall  that  a  permitting  policy  says  ‘if  the  following  condi¬ 
tions  hold,  then  a  particular  action  is  permitted’ .  These  con¬ 
ditions  typically  include  requirements  that  someone  possess 
one  or  more  credentials,  such  as  a  library  card  or  a  driver’s 
license.  It  is  fairly  rare  that  not  having  a  credential,  such 
as  not  having  a  driver’s  license,  increases  an  individual’s 
rights.  Therefore,  we  do  not  expect  credentials  to  corre¬ 
spond  to  bipolars.  Similar  arguments  may  be  made  for  other 
types  of  information. 

If  the  policy  set  includes  a  mix  of  permitting  and  deny¬ 
ing  policies,  even  if  Permitted  does  not  appear  in  the  an¬ 
tecedent  of  policies,  then  it  seems  less  likely  that  the  bipo¬ 
lar  restriction  will  hold.  For  example,  consider  the  policy 
set  {pi.  p'i  }  where  pi  is  ‘faculty  members  may  chair  com¬ 
mittees’  and  pi  is  ‘students  may  not  chair  committees’.  For¬ 
mally, 

pi  =  \/x (Faculty (x)  =>  Permitted!.!;,  chair  committees) ) 
p2  =  Vx  (Student)®)  — -  -  Permitted chair  committees) ) 

The  literal  Permitted)®,  chair  committees)  is  a  bipolar  in 
Pi  A  pi-  Once  we  allow  Permitted  in  the  antecedent  of 
policies,  things  can  get  even  worse.  Suppose  that  we  extend 
the  Permitted  predicate  to  take  a  third  argument  that  says 
who  is  granting  (or  denying)  permission.  Now  consider  the 
policy  set  {pi,P2,P3}  where  pi  is  ‘Mom  allows  Alice  to 
play  outside’,  P2  is  ‘Dad  allows  Alice  to  play  outside’,  and 
Ps  is  ‘if  both  Mom  and  Dad  allow  Alice  to  do  something 
then  the  Parents  allow  it’ .  Formally, 

Pi  —  Permitted  (Alice,  play  outside.  Mom) 

P2  =  Permitted  (Alice,  play  outside.  Dad) 

P2,  =  V®  (Permitted  (Alice, Mom)/\ 

Permitted  ( Alice,  ®,  Dad)  =>  Permitted  (Alice, ®,  Parents)) 

There  are  four  bipolar  literals  in  pi  A  P2  A  p$. 

4.2  Relaxing  the  restrictions 

In  this  subsection,  we  discuss  the  consequences  of  relax¬ 
ing  some  of  the  conditions  in  Theorem  4.1.  In  particular, 
we  consider  the  effect  of  allowing  standard  environments, 
as  opposed  to  basic  ones,  allowing  a  limited  use  of  equal¬ 
ity,  allowing  variables  to  appear  in  policies  (and  the  stan¬ 
dard  environment)  without  also  appearing  as  arguments  to 
Permitted,  and  allowing  each  policy  (and  each  environment 
fact)  to  have  one  bipolar.  The  bipolar  restriction  is  further 
relaxed  in  Section  4.3. 


We  first  consider  the  equality  restriction.  It  turns  out  that 
we  can  allow  equality  in  the  quantifier-free  portion  of  the 
environment.  As  a  result,  we  can  write  statements  such  as 
‘Miss  Alice  Smith  =  Mrs.  Alice  Jones’  and  ‘hearing  A  lis¬ 
tening’.  However,  if  we  allow  equality  to  be  used  in  this 
way,  then  we  need  to  generalize  the  definitions  of  unifica¬ 
tion  and  bipolarity.  We  say  that  £  and  £'  are  unifiable  relative 
to  a  set  E  of  equality  statements  if  there  are  variable  substi¬ 
tutions  0  and  o'  such  that  it  follows  from  E  that  Ic r  =  £' o' . 

For  example,  P{a)  and  P(b)  are  unifiable  relative  to  a  =  b. 
Similarly,  we  can  talk  about  a  literal  £  being  bipolar  in  for¬ 
mula  f  relative  to  E. 

We  also  can  support  equality  in  the  antecedents  of  poli¬ 
cies,  but  we  cannot  support  inequalities.  For  example,  we 
can  handle  the  policy 

V®iV®2((®i  =  Spouse(®2))  =A  Permitted). zq,  SpeakFor(®2))), 
but  we  cannot  handle  the  policy 

V®iV®2((®i  f-  Spouse(®2))  =A  ^Permitted(®i,  SpeakFor(®2))). 

(The  first  policy  says  ‘an  individual  may  speak  for  her 
spouse’.  The  second  says  ‘an  individual  may  not  speak  for 
someone  who  is  not  her  spouse’ .) 

We  now  consider  the  variable  restriction;  first  we  re¬ 
lax  it  and  then  we  remove  it  entirely.  Suppose  that  ev¬ 
ery  literal  in  every  policy  has  at  most  one  variable  that 
doesn’t  appear  in  Permitted  (which  is  the  case  in  Exam¬ 
ples  2.2  and  3.2)  and  there  are  m  constants  that  appear  in 
the  environment.  Then  the  increase  in  complexity  is  only 
0{m\P\  log  l-E)),  and  the  time  needed  to  answer  our  queries 
is  0( ( l-E1 1  +  m\P\ )  log  If? |).  Therefore,  our  language  will 
not  become  intractable  if  we  allow  any  number  of  variables 
to  violate  our  original  restriction,  provided  that  each  literal 
has  only  one  such  variable. 

The  NP-hardness  result  of  Theorem  3.4(b)  suggests  that 
it  will  not  be  possible  to  get  such  low  complexity  in  gen¬ 
eral.  We  can  show  that  if  there  are  at  most  k  variables  in  any 
policy  that  do  not  appear  as  arguments  to  Permitted,  then 
the  queries  in  which  we  are  interested  can  be  answered  in 
time  0((|£'j  +  mk\P\)  log  |.E|).  This  result  is  not  simply  a 
generalization  of  the  previous  one.  Our  earlier  result  might 
apply  to  a  policy  set  for  which  k  is  greater  than  one.  Con¬ 
sider  the  policy  V®iV®2V®3V®4  (f?i  (®i ,  £4)  A  R2  (®2 ,  £4)  A 
R2,{xz,Xi)  =>  Permitted (j;i, «)).  The  condition  in  our 
first  result  is  met  by  this  policy,  because  each  literal  has  only 
one  variable  that  does  not  appear  in  Permitted.  The  second 
result  applies  with  k  =  3,  because  the  policy  has  three  vari¬ 
ables  that  do  not  appear  as  arguments  to  Permitted,  namely 
xi,  ®2,  and  £3. 

It  is  unlikely  that  these  results  can  be  significantly  im¬ 
proved,  because  even  with  our  bipolar  restriction,  we  can 
show  that  the  general  problem  is  NP-complete.  However, 


we  expect  that  both  m  and  k  will  be  quite  small  in  prac¬ 
tice.  Therefore,  we  can  still  answer  queries  efficiently  in 
practice. 

The  following  theorem  summarizes  the  discussion  thus 
far: 

Theorem  4.2:  Let  4?  be  a  vocabulary  that  contains 
Permitted  ( and  possibly  other  predicate,  constant,  and  func¬ 
tion  symbols).  Let  £q  consist  of  all  closed  formulas  in 
of  the  form  E  A  P  =>  Permittedfi,  t'),  where  P 
is  a  conjunction  of  standard  policies  and  both  t  and  t'  are 
closed  terms  of  the  appropriate  sort,  such  that 

(a)  E  is  a  basic  environment  with  m  constants, 

(b)  no  policy  in  P  has  an  inequality  in  its  antecedent,  and 

(c)  there  are  no  bipolars  in  P  relative  to  the  equality  state¬ 
ments  in  E. 

If  there  are  at  most  k  variables  in  a  single  policy  that  do  not 
appear  as  arguments  to  Permitted,  then  we  can  determine 
the  validity  of  the  formula  in  time  0((\E\+mk\P\)  log  T’|). 
Moreover,  if  each  literal  in  each  policy  has  at  most  one 
variable  that  does  not  appear  in  Permitted,  then  we  can 
determine  the  validity  of  the  formula  in  time  0((\E\  + 
m|P|)log|£|). 

Note  that  Theorem  4.2  allows  equality  in  the  environment 
E.  Also,  note  that  all  of  the  examples  in  this  paper,  in¬ 
cluding  Examples  2.2  and  3.2,  meet  the  condition  that  ev¬ 
ery  literal  in  every  policy  has  at  most  one  variable  that  does 
not  appear  in  Permitted.  Thus,  we  can  answer  our  queries 
about  these  policies  in  time  0((|£'j  +  m\P\)  log  |£’|). 

We  now  extend  our  results  to  handle  standard  environ¬ 
ments.  For  the  purposes  of  this  discussion,  let  P  be  a  con¬ 
junction  of  standard  policies  and  let  Eq  A  E[  be  a  standard 
environment  in  which  Eq  is  a  conjunction  of  ground  literals 
and  Ei  is  a  conjunction  of  universal  formulas.  Since  The¬ 
orem  4. 1  already  handles  universal  formulas,  namely  poli¬ 
cies,  we  could  support  standard  environments  by  replacing 
every  reference  to  P  in  Theorem  4.1  with  a  reference  to 
P  A  Ei.  In  particular,  we  could  replace  the  bipolar  restric¬ 
tion  in  Theorem  4. 1  with  the  statement  ‘there  are  no  bipolars 
in  P  A  Ei  ’ .  However,  if  there  are  no  bipolars  in  P  A  £j ,  then 
it  is  not  hard  to  show  that  (as  long  as  E0  A  £j  is  consistent) 
a  permission  follows  from  Eq  A  E\  A  I’  iff  it  follows  from 
Eq  A  P.  In  other  words,  unless  we  can  relax  the  bipolar  re¬ 
striction,  we  cannot  support  interesting  universal  formulas 
in  the  environment.  Fortunately,  we  can  relax  the  bipolar  re¬ 
striction  to  allow  one  bipolar  per  clause.  (As  we  show  later, 
this  is  probably  the  best  we  can  do.) 

The  result  is  summarized  in  the  following  theorem.  The 
two  conclusions  regarding  complexity  correspond  to  the 
conclusions  in  Theorem  4.2,  except  now  we  must  consider 


the  variables  that  appear  in  Ei  as  well  as  those  that  appear 
in  P. 

Theorem  4.3:  Let  $  be  a  vocabulary  that  contains 
Permitted  (and  possibly  other  predicate,  constant,  and  func¬ 
tion  symbols).  Let  Cy  consists  of  all  closed  formulas  f  in 
£f°(&)  of  the  form  (EqAEiAP)  =>-  Permittedf.  t'),  where 
Eq  A  Ei  is  a  standard  environment,  Eq  is  a  conjunction  of 
ground  literals,  Ei  is  a  conjunction  of  universal  formulas, 
P  is  a  conjunction  of  standard  policies,  and  both  t  and  t.' 
are  closed  terms  of  the  appropriate  sort,  such  that 

(a)  Eo  has  to  constants, 

(b)  no  conjunct  in  Ei  A  P  has  an  inequality  in  its  an¬ 
tecedent,  and 

(c)  each  conjunct  in  Ei  A  P  has  at  most  one  literal  that  is 
bipolar  in  £j  A  P  relative  to  the  equality  statements  in 
Eq. 

We  can  determine  the  validity  of  f  in  time  0{\E\  A 
P j  log  \Ei  A  Pj  +  b\Ci\  +  T),  where  b  is  the  number  of 
bipolar  pairs  in  f  relative  to  the  equality  statements  in  E0, 
Ci  is  the  longest  conjunct  in  f,  and  T  is  defined  as  fol¬ 
lows.  If  every  literal  that  appears  in  a  conjunct  in  Ei  A  P 
has  at  most  one  variable  that  does  not  appear  as  an  argu¬ 
ment  to  an  instance  of  Permitted  in  that  conjunct,  then  T 
is  (J£70|  +  m(\Ei  A  P\  +  b\Ci\))  log  \E0\.  Otherwise,  T  is 
(|P0|+to/£(|PiAP|+6|C,;|))  log  \Eq\,  where  k  is  the  largest 
number  of  variables  appearing  in  a  single  conjunct  that  do 
not  also  appear  as  arguments  to  an  instance  of  Permitted  in 
that  conjunct. 

Because  the  environment,  by  definition,  does  not  contain 
the  Permitted  predicate,  every  variable  in  a  conjunct  in 
E i  is  a  variable  that  does  not  appear  as  an  argument  to 

Permitted. 

For  the  rest  of  this  subsection,  we  discuss  why  Theo¬ 
rems  4.1,  4.2,  and  4.3  are  true,  and  the  role  of  the  restric¬ 
tions  on  bipolarity  and  equality. 

These  theorems  are  best  understood  in  the  context  of 
the  resolution  procedure  from  theorem  proving  [30].  Res¬ 
olution  tries  to  find  clauses  C\  and  C'2  and  a  substitution 
o  under  which  C 1  and  C'2  refer  to  the  same  literal  with 
different  polarities  (one  refers  to  the  literal  £,  the  other 
to  -if).  If  the  search  is  successful,  then  a  new  clause, 
called  the  resolvent ,  is  created  by  taking  the  disjunction  of 
C\o  and  C^er  after  removing  the  shared  literal  from  each 
clause.  For  example,  given  the  clauses  ~^R{y)  V  ~^S{y) 
and  R(f(x))  V  Permitted (g (a:),  z),  the  resolution  proce¬ 
dure  substitutes  f{x)  for  y  because,  under  this  substitu¬ 
tion,  the  clauses  share  the  literal  R{f(x)),  with  different 
polarities.  The  resolvent  created  from  these  clauses  is  then 


5(/(.c))  V  Permitted (5 (a;), z).2  Throughout  the  rest  of 
the  paper,  we  refer  to  the  clauses  C 1  and  C 2  as  the  parents 
of  the  resolvent  and  we  say  that  we  resolve  on  a  literal  t  (or 
->£)  if  that  is  the  shared  literal  used  in  creating  the  resolvent. 
The  closure  of  a  universal  formula  /,  denoted  R{f),  is  the 
smallest  set  of  clauses  such  that  /  C  R(f)  and  if  r  is  a  re¬ 
solvent  of  two  clauses  that  are  in  R{f),  then  r  is  in  R(f). 
A  key  property  of  the  resolution  procedure  is  the  following 
statement.  If  no  positive  literal  in  /  (written  in  CNF)  in¬ 
volves  equality,  then  R{f  A  Vx(x  =  x))  contains  false  iff  / 
is  not  satisfiable.  Thus,  we  can  use  resolution  to  check  the 
validity  of  an  existential  formula  provided  that  the  formula 
(in  CNF)  does  not  refer  to  an  inequality. 

The  reason  for  the  equality  restriction  is  that  the  resolu¬ 
tion  procedure  assumes  all  constants  are  distinct,  regardless 
of  statements  to  the  contrary.  For  example,  consider  the  fol¬ 
lowing  three  statements  about  Bob  and  Robert. 

fi  —  Permitted(Bob,  play)  A  Permitted  (  Robert ,  play) 

/2  =  Permitted(Bob,  play)  A  Permitted  (  Bob,  play) 

/3  =  Permitted(Bob,  play)  A  Permitted  :  Robert,  play) 

A  (Bob  =  Robert) 

It  is  easy  to  see  that  R{fi)  is  fi,  f?(/2 )  contains  false,  and 
R(f 3)  is  / 3 .  The  resolution  procedure  does  not  resolve  the 
clauses  in  / 1,  because  it  assumes  that  Bob  could  be  an  indi¬ 
vidual  different  from  Robert.  In  this  case  the  assumption  is 
correct  and  the  desired  property  holds:  R(fi)  doesn’t  con¬ 
tain  false  and  f\  is  satisfiable.  As  for  /2,  the  resolution  pro¬ 
cedure  recognizes  that  the  constant  Bob  in  the  first  clause 
refers  to  the  same  individual  as  the  constant  Bob  in  the  sec¬ 
ond.  Thus,  the  procedure  resolves  the  two  clauses  to  create 
the  resolvent  false,  which  indicates  that  /2  is  not  satisfiable. 
Now  consider  /3.  Because  of  the  last  clause  in  /3,  Bob 
cannot  be  a  different  individual  than  Robert,  however  the 
resolution  procedure  fails  to  take  this  into  account.  There¬ 
fore,  it  does  not  resolve  the  first  two  clauses  and  f?(/3)  does 
not  contain  false,  even  though  /3  is  unsatisfiable. 

If  equality  occurs  only  in  clauses  that  are  ground  literals, 
then  the  fix  is  straightforward.  We  simply  compute,  for  each 
constant,  the  set  of  constants  equal  to  it  according  to  the 
equality  statements  among  the  ground  literals.  This  parti¬ 
tions  the  constants  into  equivalence  classes.  We  then  choose 
a  representative  element  from  each  equivalence  class,  and 
replace  each  occurrence  of  a  constant  by  the  equivalent  rep¬ 
resentative  element.  For  example,  given  /3,  we  would  re¬ 
place  every  occurrence  of  Bob  with  Robert  (or  vice-versa), 
since  Bob  and  Robert  are  in  the  same  equivalence  class. 
Note  that,  after  the  substitution,  there  are  two  bipolar  literals 
in  /3  when  originally  there  were  none.  Since  this  procedure 

2  Actually,  the  resolution  procedure  looks  for  a  particular  type  of  sub¬ 
stitution  called  a  most  general  unifier  (mgu).  This  is  why,  in  our  example, 
we  substitute  f(x)  for  y.  instead  of,  say  substituting  f(o  ')  for  y  and  a  for 
x.  (See  [30]  for  details.) 


can  add  bipolars  to  the  formula  and  we  need  to  restrict  bipo- 
lars  for  tractability,  our  theorems  must  refer  to  the  number 
of  bipolars  after  the  substitutions  have  been  made.  This  is 
why  the  theorems  refer  to  the  number  of  bipolars  relative  to 
a  set  of  equality  statements  (if  the  environment  has  equal¬ 
ity). 

We  remark  that,  in  general,  dealing  with  equality  in  the 
context  of  resolution  is  nontrivial;  it  requires  techniques 
such  as  paramodulation  [8].  Our  restrictions  guarantee  that 
these  additional  procedures  are  unnecessary. 

The  problem  with  applying  resolution  is  that,  in  general, 
the  number  of  clauses  in  //(/)  can  be  infinite,  even  if  /  is  a 
function-free  formula  with  only  two  clauses. 

Example  4.4:  Suppose  we  have  two  policies;  the  first  is 
‘Alice  may  play’  and  the  second  is  ‘for  any  individuals  x\ 
and  x2,  if  x\  may  play  and  x2  is  xi’s  boss,  then  x2  may 
play’ .  We  could  write  these  policies  as 

Pi  =  Permitted  (Alice,  play) 

p2  =  Vx  1 ,  x2  ( Permitted  (x  1 ,  play)  A  BossOf (x2 ,  x  1 )  =)> 

Permitted(x2 ,  play)) 

It  is  not  hard  to  see  that  for  any  integer  n,  the  closure  of 
Pi/\P2  includes  the  clause  (V*=i  „  ‘  BossOf (x,yx,  i))V 
^BossOf(x0,  Alice)  V  Permitted(x„, play).  | 

It  turns  out  that  the  source  of  the  difficulty  in 
this  example  is  the  fact  that  Permitted(xi ,  play)  and 
Permitted(x2, play)  are  bipolar  literals.  If  we  restrict  the 
number  of  bipolar  literals,  the  problem  does  not  occur.  Fur¬ 
ther  restrictions  give  us  tractability,  as  the  following  result 
shows.  Parts  c(i)  and  c(ii)  of  the  proposition  are  again  ana¬ 
logues  of  the  two  conclusions  in  Theorem  4.2. 

Proposition  4.5:  Let  f  be  a  conjunction  of  ground  literals. 
Let  f  be  a  formula  in  CNF  with  n'  bipolar  pairs  and  n 
clauses  such  that  every  clause  has  at  most  one  instance  of 
a  bipolar  literal  in  f  relative  to  the  equality  statements  in 
f  and  no  disjunct  of  the  form  ( t  =  t'),  where  t  and  t'  are 
terms. 

(a)  R(f')  has  n  +  n'  clauses.  Moreover,  the  resolution 
procedure  runs  in  time  0(\f  \  log  \f'\  +  n'\Ci\j,  where 
Ci  is  the  longest  clause  in  .[' . 

(b)  IfR(f)  =  {C\,...,  Cn},  then  R(f  A  /')  =  R(f)  U 
(Ui<n  R{Ci  A  /)). 

(c)  Suppose  f  has  m  constants  and  C  is  a  clause  in  R(f'). 
Let  Lq  be  the  set  of  literals  in  C  that  unify  with  no 
more  than  one  literal  in  f  relative  to  the  equality  state¬ 
ments  in  f.  Let  Vc  be  the  set  of  variables  in  C  that  do 
not  appear  in  any  literal  in  Lo- 

fi)  If  every  literal  in  C  has  no  more  than  one  vari¬ 
able  that  is  in  Vc,  then  we  can  determine  ifRff  A 
C )  contains  false  in  time  Of{\f\+m\C\)  log  |/|). 


(ii)  If  |  Vc  =  k,  then  we  can  determine  if  R(f  A  C) 
contains  false  in  time  0((|/|  +  mk\C\)  log  |/|). 

The  reason  that  Proposition  4.5(a)  holds  is  that  we  re¬ 
solve  only  on  literals  that  are  bipolar.  It  follows  that  the  only 
resolvents  created  from  the  clauses  in  /'  are  those  created 
by  the  bipolar  pairs,  and  only  one  resolvent  is  created  per 
pair.  Furthermore,  these  are  the  only  resolvents  in  the  clo¬ 
sure,  because  none  of  the  resolvents  created  by  this  process 
have  a  bipolar  literal.  To  prove  Proposition  4.5(b),  we  need 
one  more  fact  (proved  in  the  full  paper):  For  any  resolvent 
r/j  with  one  parent  in  R{Ci  A  /)  and  another  in  R(Cj  A  /), 
there  is  a  resolvent  C/  whose  parents  are  C,  and  Cj  (thus 
C’k  is  in  R(f'))  such  that  is  in  R{C/ c  A  /).  R(C  A  /)  can 
contain  false  iff  one  of  the  following  Finally,  for  Proposi¬ 
tion  4.5(c),  it  is  easy  to  show  that  R(C  A  /)  contains  false 
iff  either 

(i)  R(f)  contains  false,  or 

(ii  there  is  a  variable  substitution  a  such  that,  for  every 
disjunct  l  in  Co,  there  is  a  conjunct  of  /  equivalent  to 
-i £  relative  to  the  equality  statement  in  /. 

Since  /  is  a  conjunction  of  ground  literals,  it  is  satisfi- 
able  unless  there  is  a  bipolar  in  /  (in  which  case  resolv¬ 
ing  on  the  bipolar  produces  false).  We  can  check  this  in 
time  0(|/|  log  j/|),  using  an  appropriate  dictionary  struc¬ 
ture.  Clearly,  we  can  check  if  the  second  statement  holds 
in  time  mk\C\  log  j/j  by  simply  trying  all  possible  substi¬ 
tutions.  (This  observation  leads  to  the  result  in  Proposi¬ 
tion  4.5(c)(ii).)  Note  that  if  a  literal  i  in  C  unifies  with  only 
one  literal  in  /,  relative  to  the  equalities  in  /,  then  the  sub¬ 
stitution  cr  is  essentially  determined  for  the  free  variables 
in  l.  Thus,  if  the  hypotheses  of  Proposition  4.5(c)(i)  hold, 
then,  after  making  the  all  the  required  substitutions,  each  lit¬ 
eral  has  at  most  one  variable  that  has  not  yet  been  assigned  a 
value.  It  is  not  hard  to  show  that,  in  this  case  variable  can  be 
considered  independently  of  the  others.  Therefore,  we  can 
try  all  possible  assignments  in  time  0((|/j+m|Cj)  log  |/|). 

The  proof  of  Theorem  4.3  follows  readily  from  Proposi¬ 
tion  4.5.  Consider  a  formula  g  in  £7  and  formulas  /  and  /' 
defined  as  follows 

g  =  ( E0  A  Ei  A  P)  =>  Permitted  (f,t'); 

/  =  E0  A*-'Permitted(f,f'),and 

S'  =  E\  A  P. 

Recall  that  g  is  valid  iff  R(f  A  /')  contains  false.  Because 
every  conjunct  in  E\  A  P  has  at  most  one  bipolar  in  /', 
Proposition  4.5(a)  applies,  and  we  can  calculate  R(f')  in 
time  0(\f'  \  log  \J'\  +n'|C)|)  where  n'  and  C)  are  as  defined 
in  the  proposition.  By  Proposition  4.5(b),  we  can  calculate 
R(g)  by  calculating  R(f)  and  R(f  ACj)  for  every  clause  Cj 
in  R(f').  Finally,  by  Proposition  4.5(c),  we  can  determine 


efficiently  if  any  of  these  sets  contain  false.  In  particular,  if 
every  literal  in  /'  has  at  most  one  variable  that  does  not  ap¬ 
pear  as  an  argument  to  Permitted,  then  Proposition  4.5(c)(i) 
applies,  because  Permitted  appears  in  only  the  policies  and 
the  query  Permitted)#,  t')  (and,  thus  appears  only  once  in 
/)• 

4.3  Beyond  the  bipolar  restriction 

As  we  have  already  observed,  the  bipolar  restriction  in 
Theorems  4.1,  4.2,  and  4.3  might  not  hold  in  practice.  In 
this  section,  we  discuss  two  situations  in  which  the  restric¬ 
tion  is  unlikely  to  hold,  and  what  can  be  done  about  it.  The 
first  is  when  policies  use  predicates  that  are,  intuitively,  de¬ 
fined  in  the  environment.  The  second  is  when  the  policy 
set  includes  both  permitting  and  denying  policies  (that  is, 
the  set  has  policies  with  Permitted  in  the  conclusion  and 
policies  with  ^Permitted  in  the  conclusion). 

To  understand  the  role  of  definitions,  consider  the  pol¬ 
icy  ‘any  minor  who  is  intoxicated  may  go  to  jail’.  Now, 
suppose  that  an  individual  is  a  minor  in  New  York  if  she 
is  under  twenty-one  and  she  is  a  minor  in  Alaska,  if  she 
is  under  eighteen.  Also,  an  individual  is  intoxicated  if  she 
fails  a  breathalyzer  test,  can’t  touch  her  nose,  or  can’t  walk 
straight.  Formally, 

Pi  =  V;r  (  Minor (:/;  )  A  Intox(.x)  =>  Permitted)^,  go  to  jail)) 
■01  =  Va"(Under21(x)  A  InNY(tc)  =>  Minor(x)) 
e2  =  Va"(Underl8(x)  A  InAK(.r)  -4-  Minor(x)) 
e3  =  V;r  ( Fai  I  s  B  re  a  t  h  a  I  y  ze  r  ( x )  =>  Intox  (*)) 
e\  =  V:/;  ( -■  C a n To u c h  N o s e  ( x )  =4  Intox  (»)) 

C’a  =  Vx(-'CanWalkStraight(x)  =4  Intox (tc)) 

Roughly  speaking,  and  e2  define  the  notion  of  being  a 
minor,  while  e3,  c\,  and  es  define  the  notion  of  being  in¬ 
toxicated.  These  definitions  are  used  in  pi  to  regulate  who 
may  go  to  jail.  It  is  easy  to  see  that  pi  has  two  bipolars  in 
P\  A  t<i  A  ...  A  es,  namely  Minor  and  Intox.  Therefore,  the 
bipolar  restriction  that  we  rely  on  for  tractability  is  not  met. 

Definitions  in  this  spirit  arise  frequently  in  the  Social  Se¬ 
curity  database.  Thus,  it  is  important  to  be  able  to  handle 
them.  Perhaps  the  simplest  approach  is  just  to  rewrite  the 
policy  pi  so  as  to  replace  Minor  and  Intox  by  their  defini¬ 
tions.  If  we  do  this,  then  pi  is  replaced  by  the  following  six 
policies: 

p[  =  Va"(Under21(x)  A  InNY(x)A 

Fa  i  I  sB  re  a  t  h  a  I  v  ze  r  ( x )  =>  Permitted  (x,  go  to  jail)) 

p'2  =  Va"(Under21(x)  A  InNY(x)A 

. iCanTouchNosef:/;)  =4  Permitted  (/.  go  to  jail)) 

p'3  =  Va"(Under21(x)  A  InNY(x)A 

-1 C  a  n  Wa  1 1<  S  t  r  a  i  g  h  t  ( x  j  =>  Permitted  (x.  go  to  jail)) 


£>4  =  V:r(Underl8(;r)  A  InAK(;r)A 

Fai I s B reath al y zer ( x )  =A  Permitted  (tr,  go  to  jail ) ) 

p'5  =  V:r(Underl8(:r)  A  InAK(:r)A 

-^CanTouchNosef  :/;)  =>  Permitted  (a  .  go  to  jail)) 

p'Q  =  Va"(Underl8(:r)  A  InAK(:r)A 

-GanWal  kStraight  fa; )  =>  Permitted  (a.  go  to  jail)). 

Notice  that  there  are  no  bipolars  in  p[  A  . . .  A  p'6  and  the 
policies  permit  the  same  actions  as  p\  A  e\  A  . . .  A  e^.  Our 
translation  also  illustrates  the  potential  problem  with  this 
approach:  it  can  blow  up  the  size  of  the  policy  set.  Suppose 
that  a  policy  p  has  to  bipolar  literals  and  that  literal  i  is  de¬ 
fined  using  Ci  clauses.  Rewriting  would  result  in  replacing 
policy  p  by  ci  x  ■  ■  ■  x  cm  policies.  Each  of  the  new  policies 
can  also  be  longer  than  p,  although  the  total  length  of  each 
one  can  be  no  more  than  \E\\,  where  E\  is  the  first-order 
part  of  the  environment.  Is  this  so  bad?  Examples  in  the 
social  security  database  suggest  that  to  is  typically  less  than 
3.  In  most  cases,  a  bipolar  is  defined  by  only  one  clause. 
Thus,  replacement  does  not  typically  increase  the  number  of 
policies,  although  the  individual  policies  are  longer.  These 
examples  suggest  that,  in  practice,  definitions  will  not  sig¬ 
nificantly  reduce  the  efficiency  of  these  procedures. 

We  next  provide  a  condition  that  allows  us  to  support 
policy  sets  that  have  both  permitting  and  denying  policies. 
This  task  would  be  easy  if  we  could  consider  only  the  per¬ 
mitting  policies  (ignoring  the  denying  policies)  when  deter¬ 
mining  if  an  action  is  permitted.  Unfortunately,  if  we  do 
this,  then  we  might  not  answer  queries  correctly. 

To  see  why,  consider  an  environment  E  that  says  ‘Alice 
is  a  student’  and  a  policy  set  V  =  {pi1.P21.P3}.  where  p\ 
says  ‘faculty  members  may  chair  committees’,  P2  says  ‘stu¬ 
dents  may  not  chair  committees’,  and  p:>  says  ‘anyone  who 
is  not  a  faculty  member  may  take  naps’.  We  can  write  these 
policies  as 

Pi  =  Mx (Faculty (x)  =;-  Permitted (x,  chair  committees)), 
P2  =  Vx(Student(x)  =t>  Permitted!  .)",  chair  committees) ), 
p:>  —  V:/;(--T'aculty(:/;)  —  Permitted).)",  nap)). 

Clearly,  p\  and  p>  are  permitting  policies  and  p2 
is  a  denying  policy.  Because  p\  is  equivalent  to 
Vx(-'Permitted(x,  chair  committees)  —  -T’aculty (:/;)  ),  pi 
and  p‘2  together  imply  that  no  student  is  a  faculty  member. 
(Intuitively,  students  cannot  be  faculty  members,  because 
no  one  can  be  both  permitted  and  not  permitted  to  chair 
committees.)  Because  students  are  not  faculty  members, 
Alice,  being  a  student,  is  not  a  faculty  member  and,  by  p%, 
may  take  a  nap.  We  cannot  determine  that  Alice  may  nap  if 
we  consider  only  the  permitting  policies,  because  to  derive 
the  permission  we  need  the  environment  fact  that  is  implied 
by  pi  A  p2. 

If  each  fact  implied  by  a  permitting  and  denying  pol¬ 
icy  together  were  derivable  from  either  the  environment 


or  a  single  policy,  then  we  could  separate  the  permitting 
policies  from  the  denying  policies.  Intuitively,  this  is  be¬ 
cause  the  interaction  would  not  provide  any  information  that 
wasn’t  already  known.  To  formalize  this  intuition,  note  that 
each  implied  fact  corresponds  to  a  resolvent  of  a  permit¬ 
ting  and  denying  policy.  In  the  previous  example,  the  im¬ 
plied  fact  that  students  are  not  faculty  members  corresponds 
to  the  resolvent  of  pi  and  p2,  namely  \/x (Faculty (x)  => 
-Student!:/;)).  Therefore,  if  every  resolvent  of  a  permitting 
and  denying  policy  is  already  implied  by  the  environment  or 
a  single  policy,  then  we  can  separate  the  policies.  Contin¬ 
uing  our  example,  we  could  separate  the  policies  if  the  en¬ 
vironment  said  that  students  were  not  faculty  members.  A 
closer  analysis  shows  that,  because  we  are  determining  per¬ 
missions  and  prohibitions,  we  need  to  consider  only  those 
resolvents  that  are  created  by  resolving  on  a  literal  that  in¬ 
volves  Permitted. 

We  formalize  all  of  this  in  the  following  theorem.  But 
to  do  so,  we  need  to  discuss  permitting  and  denying  poli¬ 
cies  in  a  bit  more  detail.  Note  that  a  policy  such  as 
Vx(Permitted(Alice,  a)  =A  Permitted(Bob,  a))  is  logi¬ 
cally  equivalent  to  both  a  permitting  policy  and  a  denying 
policy.  (The  denying  policy  is  Vtr(-'Permitted(Bob,  a)  => 
^Permitted  (Alice,  a)).)  We  say  that  a  policy  is  pure  if  it  is 
not  logically  equivalent  to  both  a  permitting  and  a  denying 
policy.  Note  that  policies  that  do  not  mention  Permitted  in 
the  antecedent  (which  is  the  case  for  almost  all  the  policies 
we  have  collected)  are  guaranteed  to  be  pure. 

Theorem  4.6:  Suppose  that  E  is  a  standard  environ¬ 
ment  and  V  =  {pi, . . .  ,pn,  d\ , . . . ,  dm}  is  a  set  of  poli¬ 
cies,  where  p% , . . . ,  pn  are  pure  permitting  policies  and 
d,i , ... ,  d„,  are  (not  necessarily  pure)  denying  policies.  If 
it  is  the  case  that  for  every  pure  permitting  policy  p  £  V, 
every  (pure  or  impure )  denying  policy  d  £  V,  and  every 
resolvent  f  created  by  resolving  p  and  d  on  a  literal  that 
involves  Permitted ,  either  E  =>  f  is  valid  or  q  =>  /  is 
valid  for  some  q  in  V,  then  E  A  p\  A  . . .  A  pn  A  d\  A  . . .  A 
dm  =>  Permitted (t,  t ')  is  valid  iff  E  A  p\  A  . . .  A  pn  => 
Permitted (f,  t')  is  valid  for  any  terms  t  and  t'  of  the  appro¬ 
priate  sort. 

Of  course,  a  similar  result  holds  for  prohibitions. 

Given  an  environment  and  a  set  of  policies,  we  can  al¬ 
ways  add  clauses  to  obtain  an  equivalent  environment  and 
policy  set  that  meets  the  theorem’s  conditions.  Therefore, 
the  question  isn’t  ‘how  likely  are  these  conditions  to  be  met 
in  practice’,  but  ‘how  many  clauses  are  we  going  to  have  to 
add  so  that  these  conditions  are  met’.  Example  4.4  shows 
that  we  may  need  to  add  an  infinite  number  of  policies  to 
the  set.  However,  for  policy  sets  where  Permitted  appears 
only  in  the  conclusions  of  policies,  it  is  easy  to  see  that  ev¬ 
ery  resolvent  is  an  environment  fact  and  there  is,  at  most, 
one  resolvent  per  pair  of  permitting  and  denying  policies. 


So,  if  the  policy  set  consists  of  n  policies,  then  we  can  sat¬ 
isfy  the  antecedent  of  Theorem  4.6  by  adding  at  most  n2 
clauses  to  the  environment. 

Instead  of  adding  these  clauses  to  the  environment  auto¬ 
matically,  it  may  be  better  to  verify  the  changes  with  the 
policy  maker.  To  see  why,  recall  the  two  policies  ‘fac¬ 
ulty  members  may  chair  committees’  and  ‘students  may  not 
chair  committees’ .  We  could  satisfy  the  antecedent  of  The¬ 
orem  4.6  by  adding  the  fact  ‘no  student  is  a  faculty  member’ 
to  the  environment.  But  suppose  that  there  is  (or  could  one 
day  be)  a  student  who  is  also  a  faculty  member.  Then  the 
policy  maker  may  want  to  revise  the  policies  to  take  this 
into  account,  rather  than  allowing  the  environment  to  (pos¬ 
sibly)  become  inconsistent.  In  general,  we  expect  that  the 
additional  facts  needed  to  satisfy  the  antecedent  of  Theo¬ 
rem  4.6  will  be  ones  that  either  the  user  would  agree  should 
have  been  there  all  along  or  are  ones  that  should  not  be  there 
and  in  fact  suggest  that  the  policies  should  be  rewritten.  By 
querying  policy  makers,  we  help  them  to  write  better  poli¬ 
cies. 

Another  advantage  of  querying  the  policy  maker  is  that 
the  implied  facts  may  remind  her  of  a  general  fact  that 
should  be  added  to  the  environment.  For  example,  the  poli¬ 
cies  ‘men  under  65  may  apply  for  health  plan  A’,  ‘men  who 
do  not  smoke  may  apply  for  health  plan  A’,  and  ‘women 
may  not  apply  for  health  plan  A’  imply  the  facts  ‘men  un¬ 
der  65  are  not  women’  and  ‘men  who  do  not  smoke  are  not 
women’ .  Rather  than  adding  both  facts  to  the  environment, 
the  policy  maker  may  prefer  to  add  the  fact  ’men  are  not 
women’  and  in  this  way  simplify  the  environment. 

4.4  Consistency 

In  this  section,  we  consider  the  problem  of  checking 
consistency.  (Recall  that  an  environment  E  and  policy  set 

P  =  {pi, . . .  ,pn}  is  consistent  if  E  A  pi  A _ .  A  Pn  is 

satisfiable.)  Clearly  E  A.  p\  A  ...  A  pn  is  not  consistent 
iff  E  A  pi  A  ...  A  pn  implies  both  Permitted(ci ,  ca)  and 
-Permitted  (ci .  C2),  for  some  arbitrary  constants  c\  and  C2. 
Thus,  we  can  apply  our  previous  techniques  to  checking 
consistency.  However,  we  can  say  even  more.  If  the  condi¬ 
tion  of  Theorem  4.6  (or  the  corresponding  condition  for  de¬ 
termining  prohibitions)  is  met,  then  we  automatically  have 
consistency,  provided  that  E  is  consistent. 

Theorem  4.7:  Suppose  that  E  is  a  simple  environment  and 
V  =  {pi, . . .  ,pn,  d\, . . . ,  dm}  is  a  set  of  policies  such  that 
the  antecedent  of  Theorem  4.6  holds.  Then  E  A  pi  A  ...  A 
pn  A  d\  A  . . .  A  dm  is  satisfiable  iff  E  is  satisfiable. 

Thus,  in  addition  to  making  it  feasible  to  check  the  con¬ 
sequences  of  policies,  our  conditions  essentially  prevent 
users  from  writing  inconsistent  policies.  This  is  a  major 
benefit  of  adhering  to  these  restrictions! 


5  Prototype 

We  have  presented  an  expressive,  tractable  logic  for  rea¬ 
soning  about  policies.  But  how  can  policy  writers  and  ad¬ 
ministrators  (users),  who  are  not  logicians,  benefit  from 
such  a  logic?  We  believe  that  an  appropriate  interface  would 
allow  users  to  state  their  policies  and  the  relevant  facts,  as 
well  as  to  make  queries,  without  writing  formulas.  Their  in¬ 
put  could  be  translated  into  our  fragment  of  first-order  logic 
and  then  answers  to  their  queries  could  be  translated  back 
into  natural  language  to  produce  reasonable  answers  to  the 
original  (pre-translated)  questions.  We  are  in  the  process  of 
building  a  prototype  that  allows  users  to  enter  information 
by  filling  in  blanks  in  English  sentences.  Although  many 
of  the  details  are  still  being  refined,  we  have  completed  a 
basic  interface  and  a  translation  from  the  interface  to  first- 
order  logic.  Due  to  space  constraints,  we  do  not  give  a  com¬ 
plete  description  of  the  interface,  nor  do  we  provide  a  for¬ 
mal  translation  from  the  fields  entered  by  users  to  first-order 
formulas.  We  are  preparing  a  paper  that  will  discuss  this  in 
detail.  Here  we  just  present  the  highlights  of  our  approach. 

A  user  creates  policies  and  states  environment  facts  by 
filling  in  blanks  in  English  sentences.  For  example,  the  user 
could  record  the  fact  that  Alice  Smith  paid  her  dues  to  Bob 
Jones  at  10  AM  on  May  1,  2002,  by  selecting  the  appro¬ 
priate  environment  form  and  filling  in  the  white  boxes  as 
shown  in  Figure  1 . 

When  designing  the  prototype,  we  need  to  decide  which 
English  sentences  should  be  supported,  where  the  blanks 
should  go,  and  what  symbols  may  go  in  each  blank.  The 
first  two  questions  can  be  answered  by  analyzing  the  struc¬ 
ture  of  the  policies  that  we  collected  and  the  environment 
facts  on  which  they  rely.  Addressing  the  last  question  is 
more  interesting.  Based  on  the  structure  of  the  sentences,  it 
is  easy  to  decide  which  blanks  should  take  terms  and  which 
should  take  predicate  symbols,  but  it  is  less  clear  what  those 
symbols  should  be.  This  choice  depends  on  the  application, 
and  for  any  particular  application  the  appropriate  choice 
may  change  over  time.  For  example,  a  library  may  want 
a  constant  symbol  for  each  patron.  The  set  of  library  pa¬ 
trons,  however,  is  not  fixed.  To  handle  this,  we  allow  users 
to  create  symbols  on  the  fly,  while  filling  in  the  sentences. 
We  can,  for  the  most  part,  infer  what  type  of  symbol  it  is 
(Subject,  predicate,  etc.)  from  its  use.  The  only  exception 
is  that  the  user  must  help  us  distinguish  constants  from  vari¬ 
ables. 

A  drawback  to  having  a  nonfixed  language  is  that  a 
user  may  have  difficulty  remembering  precisely  which 
terms  have  been  defined.  For  example,  a  policy  maker 
may  wonder  if  a  predecessor  used  the  term  ‘graduate  stu¬ 
dent’,  ‘grads’,  ‘gradStudent’,  or  something  else  to  re¬ 
fer  to  the  graduate  population.  To  minimize  this  confu¬ 
sion,  we  provide  a  directory  system  for  the  various  sorts 
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Figure  1 .  A  typical  action  record. 


(e.g.,  the  subject  ‘grad’  may  be  in  the  directory  ‘sub- 
jects/university/students’).  When  a  new  symbol  is  defined, 
the  policy  maker  puts  the  symbol  in  the  appropriate  direc¬ 
tory  where  appropriateness,  like  the  directories  themselves, 
are  determined  by  the  users.  When  searching  for  the  for¬ 
gotten  symbol,  the  user  can  consult  these  directories,  which 
are  accessible  from  the  main  menu  and  by  clicking  on  the 
buttons  beside  the  blanks  in  the  English  sentences. 

The  interface  to  the  system  has  been  designed  to  sup¬ 
port  standard  environments  and  policies.  In  other  words,  the 
user  cannot  fill  in  the  English  sentences  in  such  a  way  that 
our  translation  creates  either  a  nonstandard  environment  or 
a  nonstandard  policy.  The  user,  however,  can  enter  a  per¬ 
mitting  policy  and  a  denying  policy  that  together  imply  a 
fact  that  is  not  in  the  environment  or  a  policy  that  is  not  im¬ 
plied  by  one  already  in  the  set.  Therefore,  the  antecedent 
of  Theorem  4.6  may  not  hold.  If  we  are  not  certain  that  it 
holds,  then  we  ask  the  user  if  a  conflict  could  occur  and, 
if  so,  how  it  should  be  handled.  We  then  either  extend  the 
environment  to  include  the  missing  fact  or  we  modify  the 
policies  to  reflect  the  policy  maker’s  actual  intent. 

6  Related  Work 

Our  work  has  been  heavily  influenced  by  the  work  of 
Halpern,  van  der  Meyden,  and  Schneider  [18].  Their  paper 
discusses  key  issues  that  must  be  addressed  when  design¬ 
ing  a  policy  language,  evaluates  various  solutions  that  have 
been  proposed  in  the  literature,  and  recommends  directions 
for  future  research.  Our  design  incorporates  three  of  their 
suggestions.  First,  Halpern  et  al.  seem  to  favor  first-order 
logic  for  handling  policies.  Second,  they  advocate  defining 
sorts  for  principals,  actions,  and  time,  which  is  common  in 
the  literature.  Third,  they  suggest  having  a  Permitted  pred¬ 
icate  that  takes  an  individual  and  an  action  argument  (and 
perhaps  others).  (This  usage  of  Permitted  is  much  in  the 
spirit  of  how  it  is  used  in  modal  deontic  logic  [28,  29].)  In 
essence,  we  have  tailored  a  logic  that  was  based  on  their  rec¬ 
ommendations  to  serve  the  expressive  and  tractability  needs 


of  applications. 

Many  people  in  the  trust  management  and  access  control 
communities  have  defined  tractable  policy  languages  using 
a  fragment  of  first-order  logic.  The  standard  approach  (see, 
for  example.  Delegation  Logic  [25],  the  RT  (Role-based 
Trust-management)  framework  [27],  Binder  [11],  SD3  [24], 
and  FAF  (Flexible  Authorization  Framework)  [23])  is  to  de¬ 
scribe  policies  in  such  a  way  that  they  can  be  analyzed  using 
a  variant  of  Datalog,  typically  either  safe  stratified  Datalog 
[16]  or  Datalog  with  constraints  [31,  33].  Datalog  is  an  effi¬ 
cient  well-understood  reasoning  engine  that  was  originally 
designed  for  function-free  negation-free  Horn  clauses.  The 
variants  allow  some  use  of  functions  and  negation,  while 
preserving  tractability. 

There  are  relatively  few  policy  languages  that  support 
functions,  but  those  that  do  (e.g.  [2,  26])  seem  to  favor  a 
variant  of  Datalog  called  Datalog  with  constraints.  By  using 
this  variant,  many  structured  resources,  such  as  directories 
and  even  time,  can  be  expressed  using  functions.  However, 
function  symbols  may  not  appear  in  intentional  predicates 
(predicates  whose  relations  are  computed  by  applying  Dat¬ 
alog  rules,  as  opposed  to  being  stored  in  a  database).  Also, 
for  tractability,  additional  restrictions  are  often  made.  For 
example,  Li  and  Mitchell  [26]  do  not  allow  formulas  in  con¬ 
straints  to  have  more  than  one  variable. 

There  are  a  number  of  policy  languages  that  support 
negation.  This  is  typically  done  using  safe,  stratified  Data¬ 
log  (e.g.  [25],  [27],  [11],  and  [24]).  Safe,  stratified  Datalog 
allows  some  use  of  negation  in  the  body  of  rules.  The  relax¬ 
ation  is  not  sufficient  for  all  permitting  policies  of  interest. 
For  example,  the  policy 

V:/; (-  Bad Credit]./;)  =>  Permitted!./  ,  apply  for  loan)) 

(anyone  without  bad  credit  may  apply  for  a  loan)  is  not  sup¬ 
ported.  More  importantly,  denying  policies  cannot  be  writ¬ 
ten  in  safe,  stratified  Datalog,  because  the  language  does  not 
allow  negation  in  the  conclusion  of  rules. 

This  limitation  may  not  seem  to  be  particularly  trou¬ 
blesome.  After  all,  the  standard  approach,  used  in  rela¬ 
tional  databases  [17],  as  well  as  by  UNIX  [35],  SPKI/SDSI 


[34,  13,  12],  KeyNote  [4],  and  almost  all  of  the  Datalog- 
based  approaches,  is  to  assume  that  everything  that  is  not 
explicitly  permitted  is  prohibited.  However,  it  is  difficult 
to  believe  that  most  policy  makers  really  want  to  forbid  ev¬ 
ery  action  that  they  do  not  explicitly  permit.  Thus,  the  as¬ 
sumption  may  be  acceptable  in  various  instances,  but  it  does 
not  capture  the  policy  maker’s  actual  intent.  This  becomes 
a  problem  when  different  policy  makers  want  to  combine 
their  policies.  For  example,  consider  a  group  of  libraries 
that  want  to  merge  their  policies  so  that  patrons  are  effected 
by  the  same  regulations,  regardless  of  which  library  they 
visit.  When  merging  the  policy  sets,  we  clearly  want  to  de¬ 
tect  conflicts  (e.g.  one  library  lets  minors  check-out  adult 
books  and  another  does  not).  Unfortunately,  if  a  language 
can  state  only  what  is  permitted,  then  this  will  be  impos¬ 
sible.  If  we  put  the  permitting  policies  from  each  library 
into  one  large  set,  then  that  set  will  be  consistent  (it  is  sat¬ 
isfied  in  the  model  that  permits  everything),  regardless  of 
which  policies  are  in  the  set.  Alternatively,  we  could  re¬ 
quire  that  no  library  permits  an  action  that  another  forbids 
(which  is  what  we  want  to  do)  under  the  assumption  that 
every  unregulated  action  is  forbidden.  It  is  not  hard  to  see 
that  this  approach  will  always  detect  a  conflict  between  sets 
of  library  policies,  unless  the  policies  are  essentially  iden¬ 
tical.  For  example,  if  one  library  allows  patrons  to  access 
the  coat  room  and  another  library’s  policies  don’t  mention 
a  coat  room  (perhaps  because  that  library  doesn’t  have  one) 
then  the  policy  sets  would  be  flagged  as  inconsistent,  since 
one  allows  access  and  the  other  forbids  it  by  not  explicitly 
permitting.  The  bottom  line  is  that  it  seems  unlikely  that  a 
policy  language  will  be  able  to  support  mergers,  unless  the 
language  supports  both  permitting  and  denying  policies.  We 
believe  that  the  issue  of  merging  policies  has  by  and  large 
been  ignored,  but  is  an  increasingly  significant  one. 

Although  we  do  not  know  of  a  Datalog  variant  that  al¬ 
lows  negation  in  the  conclusions  of  rules,  there  is  an  exten¬ 
sion  that  allows  unrestricted  use  of  negation  in  the  body  of 
rules.  Jajodia  et  al.  [23]  show  that  in  certain  settings  this  ex¬ 
tension,  called  Datalog  with  negation,  can  capture  negated 
conclusions.  But  this  approach  to  adding  negation  to  Dat¬ 
alog,  although  it  does  support  both  permitting  and  deny¬ 
ing  policies,  has  its  own  problems.  Datalog  with  negation 
is  tractable  because  it  makes  the  closed  world  assumption . 
According  to  this  assumption,  if  we  cannot  prove  that  a  pos¬ 
itive  literal  is  true,  we  assume  it  is  false.  Unfortunately,  the 
closed  world  assumption  can  lead  to  unintuitive  (and  prob¬ 
ably  unintended)  results.  For  example,  consider  the  single 
policy  ‘If  Alice  is  not  a  student,  then  she  may  play’  and 
suppose  that  the  reasoning  engine  can  recognize  a  student 
only  when  she  presents  her  ID.  If  Alice  is  a  student  who 
does  not  present  her  ID  and  the  reasoning  engine  makes  the 
closed  world  assumption,  then  the  reasoning  engine  will  in¬ 
correctly  assume  that  Alice  is  not  a  student  and,  thus,  permit 


her  to  play. 

If  a  policy  language  can  capture  both  permitting  and 
denying  policies,  then  conflicts  can  be  detected  and  resolved 
in  some  prescribed  way.  For  example,  FAF  [23]  expects  the 
user  to  create  an  overriding  policy  such  as  ‘if  an  action  is 
both  permitted  and  forbidden,  then  it  is  forbidden’ .  How¬ 
ever,  as  we  have  already  seen,  there  are  problems  with  the 
FAF  approach  to  dealing  with  conflicts.  Similar  approaches 
are  taken  in  [9,  22],  In  our  language,  as  long  as  all  pairs 
of  permitting  and  denying  policies  satisfy  the  antecedent  of 
Theorem  4.6,  policies  cannot  be  inconsistent,  so  we  do  not 
need  overriding  policies. 

One  way  in  which  it  may  seem  that  our  language  is  re¬ 
stricted  is  that  we  we  do  not  provide  explicit  support  for 
groups  and  roles.  Many  policy  languages  talk  about  groups, 
where  a  group  is  a  set  of  subjects  such  that  if  a  group 
has  a  property,  then  every  member  of  the  group  has  the 
property  (cf.  [1,  23]).  In  role-based  access  control  models 
[27,  36,  15,  20],  roles  are  an  intermediary  between  individ¬ 
uals  and  rights.  More  specifically,  an  individual  obtains  a 
right  by  assuming  a  role  that  is  associated  with  that  right. 
For  example,  Alice  may  need  to  assume  the  role  of  Depart¬ 
ment  Chair  in  order  to  obtain  the  budget. 

We  do  not  need  to  support  groups  and  roles  explicitly 
because  we  can  easily  capture  both  in  first-order  logic  using 
appropriate  predicates.  For  example,  if  we  want  to  say  that 
Alice  is  a  member  of  the  faculty  and  any  faculty  member 
may  chair  committees,  then  we  can  represent  the  group  us¬ 
ing  the  predicate  Faculty.  The  environment  fact  is  encoded 
as  Faculty! Alice);  the  policy  is  then 

\/x( Faculty {x)  =>  Permitted (.r,  chair  committees)). 

Similarly,  the  policy  ‘Alice,  acting  as  the  Department  Chair, 
may  sign  the  budget’  can  be  written  as 

Dept.  Chair]  Alice)  =>  Permitted  (Alice,  sign  the  budget). 

The  fact  Dept.  Chair(Alice)  would  be  added  to  the  envi¬ 
ronment  when  Alice  assumes  the  role  and  would  be  re¬ 
moved  when  she  relinquishes  it.  Alternatively,  we  could 
add  a  sort  Roles  to  our  logic  along  with  the  predicate 
As  (as  suggested  in  [1]),  where  As(e,r)  means  that  en¬ 
tity  e  is  acting  as  role  r  (in  other  words,  e  has  as¬ 
sumed  role  r).  Continuing  our  example,  ‘Alice,  act¬ 
ing  as  the  Department  Chair,  may  sign  the  budget’  could 
be  written  in  the  logic  as  As(Alice,  Dept.  Chair)  => 
Permitted(  Alice,  sign  the  budget).  The  second  encoding 
for  roles  may  be  more  in  keeping  with  the  spirit  of  the  role- 
based  model,  but  we  believe  that  both  approaches  are  rea¬ 
sonable  (and  our  results  apply  to  both  choices). 

Finally,  we  should  note  that  the  KeyNote  system  [3]  (for¬ 
merly  called  PolicyMaker  [4])  is  more  flexible  than  our  ap¬ 
proach  in  that  the  application  can  write  its  policies  in  a  num- 


ber  of  different  languages.  More  specifically,  the  applica¬ 
tion  gives  to  Keynote  programs  (which  can  be  written  in  a 
variety  of  programming  languages)  that  determine  if  a  pol¬ 
icy  applies  to  a  request  and  a  requestor.  Because  KeyNote 
essentially  views  these  programs  as  black  boxes,  it  is  quite 
limited  in  its  ability  to  reason  about  policies.  As  discussed 
in  [5],  the  system  needs  to  put  restrictions  on  the  programs 
to  ensure  correct  analysis.  This  is  in  fact  done  in  [6],  but  at 
the  price  of  a  substantial  reduction  in  the  expressive  power 
of  the  language. 

7  Conclusion 


We  have  considered  a  fragment  of  first  logic  that,  based 
on  the  policies  we  collected,  is  likely  to  be  sufficiently  ex¬ 
pressive  for  many  applications.  We  proved  that,  for  typical 
policies,  we  could  efficiently  determine  if  actions  are  per¬ 
mitted  or  prohibited  by  the  policies.  Finally,  we  briefly  dis¬ 
cussed  a  prototype  that  allows  non-logicians  to  benefit  from 
our  logic  (see  [19]  for  details).  As  we  said  earlier,  all  ap¬ 
proaches  using  first-order  logic  restrict  it  in  some  way  to 
get  tractability.  The  examples  that  we  have  been  collect¬ 
ing  suggest  that  our  language  is  expressive  enough  to  cap¬ 
ture  the  policies  that  people  want  to  write.  Moreover,  we 
believe  that  our  approach  has  significant  advantages  over 
approaches  that  cannot  express  prohibitions,  such  as  ap¬ 
proaches  based  on  Datalog,  when  it  comes  to  merging  pol¬ 
icy  sets. 

In  terms  of  future  research,  we  are  in  the  process  of  using 
our  logic  to  give  semantics  to  the  popular,  though  ambigu¬ 
ous,  XrML  rights  language  [10],  As  we  said,  we  are  also 
investigating  online  databases  of  policies  to  check  if  our  lan¬ 
guage  is  expressive  enough  to  capture  everything  that  pol¬ 
icy  writers  want  to  say.  This  investigation  has  already  led 
to  improvements  in  our  language.  For  example,  it  showed 
us  that  we  need  to  support  definitions.  We  expect  that  it 
will  prove  useful  to  find  extensions  of  our  logic  that  remain 
tractable.  One  avenue  to  explore  is  to  consider  a  hybrid  of 
our  approach  and  Datalog.  We  plan  to  pursue  this  in  future 
work. 
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